ipsuid’s blog

I wish my windows desktop had context - and context management.  This is something that I should think about implementing a solution for.

Think multiple desktops - but tied to a specific task or project.  Switch between them to let the computer manage the mental context for you.

I need to set up DNS on the new server to allow for testing the mail system - while the production mail server remains in operation serving the same domains.  Having DNS running will also simplify the migration of domains from the old DNS server to The Planet servers.  Their servers won’t allow me to specify IPs outside their network, so I need to transition the DNS in two steps.

Since I am likely to keep the DNS service running on this new box indefinately, it is worth the effort now to secure it.

http://www.unixwiz.net/techtips/bind9-chroot.html seems to be a good resource for how to do this with bind9.

The only missing piece is allowing the chrooted bind log to syslog.  Edit /etc/sysconfig/syslog and change SYSLOGD_OPTIONS to:


SYSLOGD_OPTIONS="-m 0 -a /chroot/named/dev/log"


This will instruct syslog to create a socket file in the chroot dev directory. However, SELinux targetted policy will block this from happening on a RHEL4 system. The fix is simply to ensure that the proper contexts are set on the chroot directories (specifically dev):


chcon -t device_t /chroot/named/dev
chcon -t etc_t /chroot/named/etc
chcon -t var_t /chroot/named/var
chcon -t var_run_t /chroot/named/var/run


This is a RHEL4.1 box.  Switching over from a Gentoo box, I prefer to have much more control over how my mail system is compiled and installed.

So first:

yum remove sendmail


I’ll be setting up postfix from source, configuring it to use a mysql database for virtual hosting, adding spam trapping/management, webmail, and vacation. And of course I need to setup both IMAP and POP3 in secure and unsecure versions, as well as some port forwarding to get around some braindead ISP policies. Finally, I will need to set up automated backup for the IMAP and webmail accounts.

This server will need to support SASL and TLS. But for a starting configuration, I build a version just with the mysql support. Once the main portions of the delivery chain are working, then it will be easier to enable the additional bells and whistles.

For MySQL support:

• Add -DHAS_MYSQL and -I/include/directory/for/mysqlclient-library to the CCARGS
• Add -L/path/to/mysqlclient-library, -lmysqlclient -lz and -lm to AUXLIBS
• Requires: mysqlclient, libz and libm.

Mysql-only build:

make -f Makefile.init makefiles \
'CCARGS=-DHAS_MYSQL -I/usr/include/mysql' \
'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lz -lm'

make

I add users for postfix and postgroup per the basic postfix installation instructions.  Then do a “make install” and accept the defaults for all the prompts.  Next I add an entry to /etc/aliases directing root mail to kernd, then run “newaliases”.

I need to make a decision now on what interface I am going to run the mail server on.  So I guess now would be a good time to allocate some hostnames.

Here is the interface allocation on this machine:

So now that I have some names allocated, and since I want email to be delivered quickly, “mercury” would be a good name for the mail server.

Set options in /etc/postfix/main.cf (some of these are defaults from the install):

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
myhostname = mercury.reasonspace.com
mydomain = reasonspace.com
myorigin = $mydomain
inet_interfaces = 74.53.36.83
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 74.53.36.82/31,74.53.36.84/30,74.53.36.88/30,74.53.36.92/31,127.0.0.0/8
home_mailbox = Maildir/
alias_maps = hash:/etc/aliases


Then give “postfix start” and check /var/log/maillog for any errors.  A “netstat -tna” shows that the SMTP server is listening on the correct address. Telneting to port 25 on that IP lets me correctly send an email to a local user and to a remote user. So the basic configuration is working.